SafeGuard Cyber Blog

'Redeemer' Ransomware Emerges Free in Forums | SafeGuard Cyber

Written by Michael Tobey | Nov 2, 2021 1:56:53 PM

Executive Summary

  • In June 2021, an actor going by the handle "Cerebrate" released the "Redeemer" ransomware on an underground forum for free.
  • Based on the sample of the Redeemer ransomware and the actor’s actions on the forums, we judge that the Cerebrate is of moderate technical sophistication and has moderate coding experience.
  • While the Redeemer ransomware does not pose any unique threats to defenders in regards to functions, it may be appealing to entry-level actors and those in need of funds, since the ransomware is free and easy to use.

Background

During a recent review of underground forums, SafeGuard Cyber came across an actor going by the handle “Cerebrate” advertising a piece of ransomware called “Redeemer”. Cerebrate had initially released this piece of ransomware on the underground forum Dread in or around June 2021. Notably, the actor had released the malware free for download.

Multiple times since the initial release, Cerebrate has attempted to advertise the ransomware to individuals asking questions about ransomware tactics on the Dread forum. While the actor stated that the ransomware is free of charge to use, they do request a 20% share of the total amount of the ransom in XMR (Monero), though there appears to be no enforcement mechanisms for this request.

Cerebrate posted that Redeemer is coded from scratch in C++ and does not require a C2 connection to operate the ransomware. The Redeemer package available on Dread includes the builder and the decrypter. The building tool allows the user to specify an email address for the tool to send the decryption key to, and is also used to collect the ransom if the victim pays out. The ransomware itself seems to only be targeting Windows operating systems from Vista onward and must be executed as an administrator in order to target the target system. The developer also touts some features of the malware such as not requiring the internet to use, which can help thwart law enforcement from tracking it, or must find a way to infect the victim on their own.

As seen in the builder, the attacker can specify the amount of the ransom as well. The developer states that the ransomware is a FUD (Fully Undetectable), but does not specify which AV’s it can successfully evade. Another note is that the developer recommends that an attacker should first gain remote access to the victim in order to disable the anti-virus software. It is also important to note that Redeemer does indeed delete itself after execution, furthermore, it will not execute if it detects another version of Redeemer on the victim machine. Redeemer also deletes system logs to mask the attacker.

Here is a look at some of the features of Redeemer as posted by the developer:

Analysis

Actor Assessment

Based on the sample of the Redeemer ransomware and the actor’s actions on the forums, we judge that the “Cerebrate” is of moderate technical sophistication and has moderate coding experience.

  • After analyzing the Redeemer ransomware, we can confirm that it is an original creation from the actor. While the actor may have borrowed functions and code from other pieces of ransomware in the wild, they at the very least constructed it in C++, made the functions work together, and compiled it themselves. This would take at least a moderate knowledge of C++ and other coding functions.
  • The ransomware exhibits several functions that, while standard for most ransomware today, do demonstrate knowledge of persistence and operational security.
    • It operates similarly to other pieces of ransomware found in the wild as it requires a decryption key to decrypt the hard drive. The decryption key is most always held by the attacker since it requires an email address to build. The specified email address holds the decryption key. Additionally the ransomware encrypts the entire hard drive with the .redeem extension.
    • Redeemer is non C2 (Command and Control) reliant, which means that the malware does not require an active connection to the internet or for the actor to create any attack infrastructure. This makes it difficult to track back to the attacker and also makes it difficult to tie to any identifying architecture.
    • Every sample of Redeemer created through the builder has a different hash value, so it is pointless to try and identify or block samples based upon hashes.
  • In regards to errors or bad OpSec, we did not find any within the operation of the ransomware, and we were able to successfully execute it within a sandbox environment and it performed all of the necessary functions.
  • While the malware does work as advertised, we did identify a couple of major drawbacks to its operation that any actor using it would have to get around, using social engineering or having some other means of access to the victim’s machine. These drawbacks demonstrate why we categorize Cerebrate as only moderately skilled.
    • The malware, when extracted from a zip file or written to disk, immediately gets detected by Windows Defender as ransomware. The actor using the malware would need to either have a way to shut off Windows Defender or convince the victim to shut it off themselves.
    • Redeemer requires administrator privileges in order to execute. While this simply requires the victim to “run as administrator” on their machine, it is still another social or technical hurdle that the actors need to overcome.

Monetization is likely not the highest priority for the actor with the release of Redeemer, meaning that they are either concerned more about operations security or their reputation.

  • In regards to the Cerebrate’s marketing and possible monetization of the Redeemer ransomware, the actor has no way of enforcing the 20% cut that is requested for using the ransomware.
  • The actor may be providing it in this model to reduce personal risk, since the ransomware is completely independent of any of the developer’s infrastructure.
  • Redeemer may be a way for Cerebrate to increase reputation and visibility within the forum or the actor may even be hoping for a job opportunity to be a developer for a cybercrime gang.

Guide: Learn how to mitigate
the risks of ransomware attacks

Malware Assessment

The download package includes the builder and the decrypter. Once Redeemer is built, the built executable is then sent to the victim.

In the builder, the user can select five different options.

If option three is selected, the builder will then require the user to input several different things such the name of the key file, which is generated by the builder, an email address in which the ransom and decryption key is sent (this can be any email account), the ransom amount (in XMR), and the name of the actual Redeemer executable.

If option three is selected, the builder will then require the user to input several different things such the name of the key file, which is generated by the builder, an email address in which the ransom and decryption key is sent (this can be any email account), the ransom amount (in XMR), and the name of the actual Redeemer executable.

Another option you can select in the builder is to see the contact information of the developer as shown here:

Once the build is complete the following files were created:

In order to execute Redeemer, you must launch it as an administrator or else the file will not execute. If Redeemer is successfully executed it will then begin to encrypt the file system with a .redeem file extension. Here is an example of what the filenames will look like:

A ransom note will also be generated on the victims desktop:

In order to decrypt the system, the attacker must use the decrypter executable and the decryption key that was sent to the attacker's specified email used in the builder.

Impact

While the Redeemer ransomware does not pose any unique threats to defenders in regards to functions not currently found in other ransomware campaigns, it may still have an impact on the ransomware landscape. Since the ransomware is free to use and the payment structure is unenforceable, it may be appealing to entry-level actors and those in need of funds. Additionally, since the malware is pretty easy to use, it could also be appealing to malicious actors with little to no technical sophistication of their own.

It is interesting from a threat landscape sense to see malware like this, because of how accessible and easy to use it is. As this and other free ransomware builders become more readily available and simpler, we may see a surge in activity from idealistically motivated actors like we did in the early 2010’s when participatory DDoS tools like LOIC and HOIC were made easily and readily available. At this time we have no indications of a hacktivist ransomware surge, but it is something we are going to keep an eye on.

At this point Redeemer has yet to catch on in widespread usage, but if Cerebrate continues to promote the ransomware and update features within it, it has the potential to become a commonly used piece of ransomware.

If you are interested in learning more about the SafeGuard Cyber solution, you can take a quick 5-minute tour.